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As state policymakers implement statewide longitudinal data systems that collect, store, link and share student-level data, it is critical that they 
understand applicable privacy and data security standards and laws designed to ensure the privacy, security and confidentiality of that data. To 
help state policymakers navigate this complex legal landscape, the Data Quality Campaign has partnered with Education Counsel and the 
Information Management Practice of Nelson Mullins Riley & Scarborough to develop Using Data to Improve Education: A Legal Reference Guide 
to Protecting Student Privacy and Data Security. This guide provides summaries of multiple federal and state laws that have implications for 
statewide longitudinal data systems. The full guide can be accessed in multiple ways: by federal law, state law by issue and state law by state. 
Visit www.dataqualitycampaign.org/privacv guide . 

The information provided here is intended to serve as a good starting place for policymakers. For more detailed information about any of the specific state laws, please contact 
Jon A. Neiditz, Partner, Nelson Mullins Riley & Scarborough LLP at ion.neiditz(5)nelsonmullins.com or 404.322.6139. 


Law 

Effective 

Date 

Summary 

Alabama 



Alaska 

Alaska Stat. § 45.48.400 

6/14/2008 

Prohibits any person from (1) intentionally communicating or otherwise making available to the general public an individual's 
SSN; (2) printing an individual's SSN on a card required for the individual to access products or services provided by the person; 
(3) requiring an individual to transmit the individual's SSN over the Internet unless the Internet connection is secure or the SSN 
is encrypted; (4) requiring an individual to use the individual's SSN to access an Internet site unless a password, a unique 
personal identification number, or another authentication device is also required to access the site; or (5) printing an 
individual's SSN on material that is mailed to the individual unless authorized by applicable law or the SSN is included on an 
application or other form, including a document sent as a part of an application process or an enrollment process, sent by mail 
to establish, amend, or terminate an account, a contract, or a policy, or to confirm the accuracy of the SSN; however, a SSN 
allowed to be mailed under this subparagraph may not be printed, in whole or in part, on a postcard or other mailer that does 
not require an envelope, or in a manner that makes the SSN visible on the envelope or without the envelope's being opened. 
Also contains provisions restricting request of SSNs and provisions requiring a company to adopt policies relating to secure 
destruction of SSNs and to conduct due diligence of and enter into an agreement with a third party destroying information. 

Sec. 45.48.440. Interagency disclosure. Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, a state or local 
governmental agency may disclose individual's SSN to another state or local governmental agency or to an agency of the 
federal government if the disclosure is required in order for agency to carry out the agency's duties and responsibilities. 
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Arizona 

Ariz. Rev. Stat. § 44- 
1373 

1/1/2005 

Prohibits any person or entity from (1) intentionally communicating or otherwise making an individual's SSN available to the 
general public; (2) printing an individual's SSN on any card required to receive products or services; (3) requiring an individual 
to transmit his or her SSN over the Internet unless the number is encrypted or the connection is secure; (4) requiring the use of 
a SSN to access an Internet Web site unless a password or other security device is used; (5) printing an individual's SSN on any 
material to be mailed to the individual, unless the inclusion of the SSN is required by law; and (6) disclosing more than 5 
numbers of an individual's SSN. This paragraph does not prohibit the mailing of documents that include SSNs sent as part of an 
application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy 
of the SSN. 

Ariz. Rev. Stat. 
§ 44-1373.02 

1/1/2009 

Prohibits any person or entity from (1) printing any sequence of more than 5 numbers of individual's SSN on any card required 
for the individual to receive products or services provided by the person or entity; and (2) printing any sequence of more than 
5 numbers of individual's SSN on any materials that are mailed to the individual, unless required by law. Exceptions if sent as 
part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm 
the accuracy of SSN or sequence of numbers. 

Arkansas 

Ark. Code Ann. § 4-86- 
107 

1/1/2007 

Unless authorized by law or pursuant to court rules, prohibits any person or entity from (1) publicly posting or displaying an 
individual's SSN in any manner; (2) printing an individual's SSN on any card required to receive products or services; (3) printing 
an individual's SSN on a postcard or in any other manner by which the SSN is visible from the outside; and (4) requiring an 
individual to transmit his or her SSN over the Internet unless the number is encrypted or the connection is secure. This section 
does not prevent the collection, use, or release of a SSN: (1) As required or explicitly authorized by federal or state law; or (2) 
Pursuant to state or federal court rules. 

California 

Cal. Civ. Code §1798.85 

7/1/2004 

Prohibits any person or entity from (1) publicly posting or displaying an individual's SSN in any manner; (2) printing an 
individual's SSN on any card required to receive products or services; (3) requiring an individual to transmit his or her SSN over 
the Internet unless the number is encrypted or the connection is secure; (4) requiring the use of a SSN to access an Internet 
Web site unless a password or other security device is used; and (5) printing an individual's SSN on any material to be mailed to 
the individual, unless the inclusion of the SSN is required by law. Exceptions if sent as part of an application or enrollment 
process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of SSN. 
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Colorado 

Colo. Rev. Stat. § 6-1- 
715 

1/1/2007 

Prohibits any person or entity from (1) publicly posting or publicly displaying in any manner an individual's SSN. "Publicly post" 
or "publicly display" means to intentionally communicate or otherwise make available to the general public; (2) printing an 
individual's SSN on any card required for the individual to access products or services provided by the person or entity; (3) 
requiring an individual to transmit his or her SSN over the internet, unless the connection is secure or the SSN is encrypted; (4) 
requiring an individual to use his or her SSN to access an internet web site, unless a password or unique personal identification 
number or other authentication device is also required to access the internet web site; and (5) printing an individual's SSN on 
any materials that are mailed to the individual, unless state or federal law requires, permits, or authorizes the SSN to be on the 
document to be mailed. Notwithstanding this paragraph (5), SSNs may be included in applications and forms sent by mail, 
including documents sent as part of an application or enrollment process, or to establish, amend, or terminate an account, 
contract, or policy, or to confirm the accuracy of the SSN. A SSN that is permitted to be mailed under this section may not be 
printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the 
envelope having been opened. 

Colo. Rev. Stat. § 23-5- 
127 

7/1/2003 

and 

(1) Each postsecondary institution in Colorado shall assign to each student enrolled in the institution a unique primary 
identifier that may be a series of numbers or characters. 


7/1/2004 

(2) On and after July 1, 2003, each postsecondary institution in Colorado shall take reasonable and prudent steps to ensure the 
privacy of a student's SSN. 



(3) (a) On and after July 1, 2004, a postsecondary institution in Colorado shall not use a student's SSN or part of a student's SSN 
as the student's primary identifier. 



(b) Notwithstanding the provisions of paragraph (a) of this subsection (3), the Colorado commission on higher education may 
allow a postsecondary institution in Colorado to use a student's SSN or part of a student's SSN as the student's primary 
identifier if: 

(I) The institution demonstrates to the satisfaction of the commission that the institution is unable to comply with the 
provisions of paragraph (a) of this subsection (3) because of the financial cost of compliance; and 

(II) The institution submits to the commission and the commission approves a plan and timetable for phasing out the use of a 
student's SSN or part of a student's SSN as the student's primary identifier. 

Colo. Rev. Stat. 

§ 22-68.5-102 
(as proposed by 
Colo. HB 09-1065) 

5/21/2009 

In connection with creation of an educator identifier system and pilot program in the department to assign unique identifiers 
to educators employed in a school district or local education agency, § 22-68.5-102(2) prohibits the unique educator identifier 
from using any personal identifying information, such as SSNs or contact information, except for alignment purposes in data 
processing. Any such personal identifying information that is collected shall be linked in a secure data location so data sets can 
be matched based on the personal identifying information when the identifier is not included. 
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Connecticut 

Conn. Gen. Stat. § 42- 
470 

Conn. Pub. Act 08-167 

1/1/2005 

10/1/2008 

Prohibits any person or entity, except government entities, from (1) publicly posting or displaying an individual's SSN in any 
manner; (2) printing an individual's SSN on any card required to receive products or services; (3) requiring an individual to 
transmit his or her SSN over the Internet unless the number is encrypted or the connection is secure; and (4) requiring the use 
of a SSN to access an Internet Web site unless a password or other security device is used. This section shall apply with respect 
to group and individual health insurance policies providing coverage of the type specified in subdivisions (1), (2), (4), (6), (10) 
and (12) of section 38a-469 that are delivered, issued for delivery, amended, renewed or continued on and after July 1, 2005. 
This section does not prevent the collection, use or release of a SSN as required by state or federal law or the use of a SSN for 
internal verification or administrative purposes. 

Companies that collect SSNs in the course of business must "publicly display" privacy protection policy that protects the 
confidentiality of SSNs, prohibits unlawful disclosure of SSNs and limits access to SSNs. Policy should be posted on company's 
webpage. 

Delaware 



Florida 

Fla. Stat. § 119.071 

10/1/2009 

§119.071(4) provides that SSNs of current and former government agency employees held by the employing agency are 
confidential and exempt from public records requirements. 

§119.071(5) prohibits a government agency from collecting an individual's SSN unless the agency has stated in writing the 
purpose for its collection and it is: (1) Specifically authorized by law; or (II) Imperative for the performance of that agency's 
duties as prescribed by law. Such agency shall identify in writing the specific federal or state law governing the collection, use, 
or release of SSNs for each purpose for which the agency collects the SSN, including any authorized exceptions. Each agency 
shall ensure that the collection, use, or release of SSNs complies with the specific federal or state law. SSNs collected by an 
agency may not be used by that agency for any purpose other than that provided in the written statement. An agency 
collecting an individual's SSN shall provide that individual with the written statement required by this provision. The written 
statement also shall state whether collection of the individual's SSN is authorized or mandatory under federal or state law. 

Each agency shall review whether its collection of SSNs is in compliance with this provision. If the agency determines that 
collection of a SSN is not in compliance, the agency shall immediately discontinue the collection of SSNs for that purpose. SSNs 
held by an agency may be disclosed if: (a) the disclosure of the SSN is expressly required by federal or state law or a court 
order; (b) the disclosure of the SSN is necessary for the receiving agency or governmental entity to perform its duties; (c) the 
individual expressly consents in writing to the disclosure of his or her SSN; (d) the disclosure of the SSN is made to comply with 
the USA Patriot Act of 2001, Pub. L. No. 107-56, or Presidential Executive Order 13224; (e) the disclosure of the SSN is made to 
a commercial entity for the permissible uses set forth in the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. ss. 2721 
et seq.; the Fair Credit Reporting Act, 15 U.S.C. ss. 1681 et seq.; or the Financial Services Modernization Act of 1999, 15 U.S.C. 
ss. 6801 et seq., provided that the authorized commercial entity complies with the requirements of this paragraph; (f) the 
disclosure of the SSN is for the purpose of administering health benefits for an agency employee or his or her dependents; (g) 
the disclosure of the SSN is for the purpose of administering a pension fund administered for the agency employee's 
retirement fund, deferred compensation plan, or defined contribution plan; and (h) the disclosure of the SSN is for the purpose 
of administering the Uniform Commercial Code by the office of the Secretary of State. 
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Georgia 

Ga. Code Ann. § 10-1- 

7/1/2006 

Prohibits any person, firm, or corporation from: (1) publicly posting or publicly displaying in any manner an individual's SSN. As 
used in this Code section, 'publicly post' or 'publicly display' means to intentionally communicate or otherwise make available 
to the general public; (2) requiring an individual to transmit his or her SSN over the Internet, unless the connection is secure or 

393.8 

the SSN is encrypted; or (3) requiring an individual to use his or her SSN to access an Internet website, unless a password or 
unique personal identification number or other authentication device is also required to access the Internet website. This Code 
section shall not apply to: (1) the collection, release, or use of an individual's SSN as required by state or federal law; (2) the 
inclusion of an individual's SSN in an application, form, or document sent by mail, electronically transmitted, or transmitted by 
facsimile: (A) as part of an application or enrollment process; (B) to establish, amend, or terminate an account, contract, or 
policy; or (C) to confirm the accuracy of the individual's SSN; (3) the use of an individual's SSN for internal verification or 
administrative purposes; or (4) an interactive computer service provider's or a telecommunications provider's transmission or 
routing of, or intermediate temporary storage or caching of, an individual's SSN. 

HB 1086 (amending 
para. 13.1 of Ga. Code 
Ann. 

§50-18-72) 

5/20/2010 

(13.1) Records that reveal the home address, the home telephone number, the e-mail address, or the SSN of or insurance or 
medical information about public employees or teachers and employees of a public school. For the purposes of this paragraph, 
the term 'public school' means any school which is conducted within this state and which is under the authority and 
supervision of a dulv elected countv or independent board of education. Public disclosure shall also not be reauired for records 
that reveal the home address, the home telephone number, the e-mail address, or the SSN of or insurance or medical 



information about employees or teachers of a nonpublic school; 

Hawaii 

Haw. Rev. Stat. § 487J-2 

7/1/2007 

Prohibits any business from (1) intentionally communicating or otherwise making available to the general public an individual's 
entire SSN; (2) intentionally printing or imbedding an individual's entire SSN on any card required for the individual to access 
products or services provided by the person or entity; (3) requiring an individual to transmit the individual's entire SSN over the 
internet, unless the connection is secure or the SSN is encrypted; (4) requiring an individual to use the individual's entire SSN to 
access an internet website, unless a password or unique personal identification number or other authentication device is also 
required to access the internet website; and (5) printing an individual's entire SSN on any materials that are mailed to the 
individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual. 
This provision shall not apply to: (1) the inclusion of a SSN in documents that are mailed and: (A) are specifically requested by 
the individual identified by the SSN; (B) required by state or federal law to be on the document to be mailed; (C) required as 
part of an application or enrollment process; (D) used to establish, amend, or terminate an account, contract, or policy; or (E) 
used to confirm the accuracy of the SSN for the purpose of obtaining a credit report pursuant to 15 U.S.C. section 1681(b). A 
SSN that is permitted to be mailed under this paragraph may not be printed, in whole or in part, on a postcard or other mailer 
not requiring an envelope, or visible on the envelope or without the envelope having been opened; (2) the opening of an 
account or the provision of or payment for a product or service authorized by an individual; (3) the collection, use, or release of 
a SSN to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a 
credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. sections 
1681 to 1681x, as amended; undertake a permissible purpose enumerated under the federal Gramm Leach Bliley Act, 15 U.S.C. 
sections 6801 to 6809, as amended; locate an individual who is missing or due a benefit, such as a pension, insurance, or 
unclaimed property benefit; or locate a lost relative; (4) a business or government agency acting pursuant to a court order, 
warrant, subpoena, or when otherwise required by law; (5) a business or government agency providing the SSN to a federal. 
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Hawaii cont. 


state, or local government entity including a law enforcement agency or court, or their agents or assigns; (6) the collection, use, 
or release of a SSN in the course of administering a claim, benefit, or procedure relating to an individual’s employment, 
including an individual’s termination from employment, retirement from employment, injuries suffered during the course of 
employment, and other related claims, benefits, or procedures; (7) the collection, use, or release of a SSN as required by state 
or federal law; (8) The sharing of the SSN by business affiliates; (9) The use of a SSN for internal verification or administrative 
purposes; (10) A SSN that has been redacted; and (11) documents or records that are recorded or required to be open to the 
public pursuant to the constitution or laws of the State or court rule or order, (c) a business or government agency covered by 
this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the 
requirements of this chapter are complied with. 

Idaho 



Illinois 

III. Comp. Stat 505/2QQ 
III. Comp. Stat 505/2RR 

HB 547, 

Public Act 096-0874 

1/1/2006 

7/1/2006 

1/22/2010 

and 

7/1/2010 

Prohibits any person or entity from printing an individual’s SSN on an insurance card. 

Prohibits any person or entity from (1) publicly posting or displaying an individual's SSN in any manner; (2) printing an 
individual's SSN on any card required to receive products or services; (3) requiring an individual to transmit his or her SSN over 
the Internet unless the number is encrypted or the connection is secure; (4) requiring the use of a SSN to access an Internet 
Web site unless a password or other security device is used; and (5) printing an individual's SSN on any material to be mailed to 
the individual, unless the inclusion of the SSN is required by law. Exceptions if sent as part of an application or enrollment 
process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of SSN. 

Creates the Identity Protection Act. In provisions concerning the public inspection and copying of information and documents, 
states that a person or state or local government agency must redact SSNs from information or documents containing all or 
any portion of an individual’s SSN. Prohibits such agencies from using SSNs in certain ways, but subject to exceptions. Requires 
each state or local government agency to develop and approve an identity-protection policy within 12 months after the 
effective date of the Act. Deletes provisions requiring each state and local government agency to include in their respective 
identity-protection policy penalties for violating the policy and a description of how to properly dispose of information and 
documents that contain SSNs. 

Section 10: (a) Beginning July 1, 2010, no person or State or local government agency may do any of the following: (1) Publicly 
post or publicly display in any manner an individual’s SSN. (2) Print an individual's SSN on any card required for the individual to 
access products or services provided by the person or entity. (3) Require an individual to transmit his or her SSN over the 
Internet, unless the connection is secure or the SSN is encrypted. (4) Print an individual’s SSN on any materials that are mailed 
to the individual, through the U.S. Postal Service, any private mail service, electronic mail, or any similar method of delivery, 
unless State or federal law requires the SSN to be on the document to be mailed. Notwithstanding any provision in this Section 
to the contrary, SSNs may be included in applications and forms sent by mail, including, but not limited to, any material mailed 
in connection with the administration of the Unemployment Insurance Act, any material mailed in connection with any tax 
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Illinois cont. 


administered by the Department of Revenue, and documents sent as part of an application or enrollment process or to 
establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the SSN. A SSN that may 
permissibly be mailed under this Section may not be printed, in whole or in part, on a postcard or other mailer that does not 
require an envelope or be visible on an envelope without the envelope having been opened. 

(b) Except as otherwise provided in this Act, beginning July 1, 2010, no person or State or local government agency may do any 
of the following: (1) Collect, use, or disclose a SSN from an individual, unless (i) required to do so under State or federal law, 
rules, or regulations, or the collection, use, or disclosure of the SSN is otherwise necessary for the performance of that agency's 
duties and responsibilities; (ii) the need and purpose for the SSN is documented before collection of the SSN; and (iii) the SSN 
collected is relevant to the documented need and purpose. (2) Require an individual to use his or her SSN to access an Internet 
website. (3) Use the SSN for any purpose other than the purpose for which it was collected. 

(c) The prohibitions in subsection (b) do not apply in the following circumstances: (1) The disclosure of SSNs to agents, 
employees, contractors, or subcontractors of a governmental entity or disclosure by a governmental entity to another 
governmental entity or its agents, employees, contractors, or subcontractors if disclosure is necessary in order for the entity to 
perform its duties and responsibilities; and, if disclosing to a contractor or subcontractor, prior to such disclosure, the 
governmental entity must first receive from the contractor or subcontractor a copy of the contractor's or subcontractor's policy 
that sets forth how the requirements imposed under this Act on a governmental entity to protect an individual's SSN will be 
achieved. (2) The disclosure of SSNs pursuant to a court order, warrant, or subpoena. (3) The collection, use, or disclosure of 
SSNs in order to ensure the safety of: State and local government employees; persons committed to correctional facilities, local 
jails, and other law-enforcement facilities or retention centers; wards of the State; and all persons working in or visiting a State 
or local government agency facility. (4) The collection, use, or disclosure of SSNs for internal verification or administrative 
purposes. (5) The disclosure of SSNs by a State agency to any entity for the collection of delinquent child support or of any 
State debt or to a governmental agency to assist with an investigation or the prevention of fraud. (6) The collection or use of 
SSNs to investigate or prevent fraud, to conduct background checks, to collect a debt, to obtain a credit report from a 
consumer reporting agency under the federal Fair Credit Reporting Act, to undertake any permissible purpose that is 
enumerated under the federal Gramm Leach Bliley Act, or to locate a missing person, a lost relative, or a person who is due a 
benefit, such as a pension benefit or an unclaimed property benefit. 

(d) If any State or local government agency has adopted standards for the collection, use, or disclosure of SSNs that are stricter 
than the standards under this Act with respect to the protection of those SSNs, then, in the event of any conflict with the 
provisions of this Act, the stricter standards adopted by the State or local government agency shall control. 

Section 30. Embedded SSNs. Beginning December 31, 2009, no person or State or local government agency may encode or 
embed a SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, RFID technology, 
or other technology, in place of removing the SSN as required by this Act. 
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Indiana 

Ind. Code § 4-1-10-5.5 

6/30/2006 

Disclosure of SSN by state educational institution. Unless prohibited by state law, federal law, or a court order, the following 
apply: 

(1) A state educational institution may disclose, in addition to the disclosures otherwise permitted by this chapter, a SSN of an 
individual to the following: 

(A) A state, local, or federal agency or a person with whom a state, local, or federal agency has a contract to perform the 
agency's duties and responsibilities. 

(B) A person that the state educational institution contracts with to provide goods or services to the state educational 
institution if: 

(i) the disclosure is necessary for the contractor to perform the contractor's duties and responsibilities under the contract; 
and 

(ii) the contract requires adequate safeguards, including any safeguards required by state or federal law, to prevent any use 
or disclosure of the SSNs for any purpose other than those purposes described in the contract and to require the return or 
confirmed destruction of any SSNs following termination of the contractual relationship. 

(C) Persons to whom the state educational institution may otherwise legally disclose for the permissible purposes of the 
following: 

(i) The Family Education Rights and Privacy Act (20 U.S.C. 1232g et seq.). 

(ii) The Health Insurance Portability and Accountability Act (42 U.S.C. 201 et seq.). 

(D) The state educational institution's legal counsel, but only to the extent that a state educational institution could disclose a 
SSN to an in-house counsel. 

(2) Consent for the authorized disclosure of any individual's SSN may be given to a state educational institution by electronic 
transmission if the state educational institution is reasonably able to verify the authenticity of the consent. A state educational 
institution may rely on the written consent of an individual given to a third party if the consent expressly permits the disclosure 
of the individual's SSN by the state educational institution. 

Iowa 



Kansas 

Kan. Stat. Ann. § 75- 
3520 

7/1/2006 

Prohibits any individual or business from soliciting, requiring or using for commercial purposes an individual's SSN unless such 
number is necessary for such person's normal course of business and there is a specific use for such number for which no other 
identifying number may be used. This subsection does not apply to documents or records that are recorded or required to be 
open to the public pursuant to state or federal law, or by court rule or order, and this paragraph does not limit access to these 
documents or records or to the collection, use or release of SSNs for the following purposes: (A) mailing of documents that 
include SSNs sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or 
policy or to confirm the accuracy of the SSN; (B) internal verification or administrative purposes; (C) investigate or prevent 
fraud, conduct background checks, conduct social or scientific research, collect a debt, obtain a credit report from or furnish 
data to a consumer reporting agency pursuant to the fair credit reporting act, 15 U.S.C. § 1681, et seq., undertake a permissible 
purpose enumerated under the Gramm-Leach Bliley Act, 15 U.S.C. § 6802 (e), or locate an individual who is missing, a lost 
relative, or due a benefit, such as pension, insurance or unclaimed property benefit; or (D) otherwise required by state or 
federal law or regulation. 
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Kentucky 



Louisiana 

La. Rev. Stat. Ann. § 
17:440 

1/1/2002 

§440. School employees; prohibition on use of SSNs as personal identifiers 

A. For the purposes of this Section: 

(1) "School board" shall include any city, parish, or other local public school board and the governing authority of any 
nonpublic school. 

(2) "Teacher or school employee" shall include teachers and school employees employed by a school board. 

B. Except as required by any applicable state or federal law, rule, or regulation or policy of the State Board of Elementary and 
Secondary Education, no school board shall use the SSN of a teacher or school employee as a means of identification for such 
teacher or school employee. 

C. No teacher or school employee in the course of his employment shall be required to include or provide his SSN on any form 
or other written document unless: 

(1) A SSN is required by any applicable state or federal law, rule, or regulation or policy of the State Board of Elementary and 
Secondary Education; or 

(2) The form or written document is required for employment, retirement, application for leave, or an individualized 
education plan. 

D. No school board and no school official or employee shall provide access to any form or document on which the SSN of a 
teacher or school employee appears to any person other than the following: 

(1) Any official or employee of the school at which the teacher or school employee works, of the employing school board, of 
the state Department of Education, or of the State Board of Elementary and Secondary Education, when such access is 
necessary for the performance of the duties and responsibilities of the official or employee. 

(2) Any person authorized to have such access by the teacher or school employee. 

Maine 

Me. Rev. Stat. tit. 20-A 
§ 6005 

9/12/2009 

The Commissioner of Education may require a school administrative unit to collect and report individual student SSNs to 
implement the Maine Statewide Longitudinal Data System only if additional federal funding is received to expand the 
department's kindergarten to grade 12 longitudinal data system existing as of the effective date of this section to a statewide 
system. The Dept, of Education must implement an automated system that matches the SSNs of former participants in state 
educational and training programs with information in the files of state and federal agencies that maintain educational, 
employment and United States armed services records and shall implement procedures to identify the occupations of those 
former participants whose SSNs are found in employment records. If the Commissioner requires a school administrative unit to 
collect and report individual SSNs pursuant to section 15689-B, subsection 7, the school administrative unit must notify parents 
in the annual notice required under FERPA that the data is being collected and used for longitudinal data purposes and must 
request the parent to provide written consent to use the child's SSN for the collection of longitudinal data. The parental 
notification must include an explanation of the parent's right that the child's SSN is not required as a condition of enrollment 
and that the child's SSN may not be used for longitudinal data purposes unless the parent provides prior written consent. 

When a student attains 18 years of age, the written consent must be obtained from the student, and the rights accorded to the 
parent before the student attained 18 years of age are then accorded to the student. 
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Maryland 

Md. Code Ann., Com. 

1/1/2006 

Prohibits any person or entity, except government entities, from (1) publicly displaying or posting an individual's SSN; (2) 
printing an individual's SSN on any card required to receive products or services; (3) requiring an individual to transmit his or 
her SSN over the Internet unless the number is encrypted or the connection is secure; (4) initiating the transmission of an 
individual's SSN unless the connection is secure; (5) requiring the use of a SSN to access an Internet Web site unless a password 
or other security device is used; (6) printing an individual's SSN on any material to be mailed to the individual, unless the 
inclusion of the SSN is required by law; (7) electronically transmitting an individual's SSN unless the connection is secure or the 
SSN is encrypted unless required by law; and (8) faxing an individual's SSN to that individual unless required by law. Exceptions 
if authorized by law or if sent as part of an application or enrollment process or to establish, amend or terminate an account, 
contract or policy or to confirm the accuracy of SSN. 

Law § 14-3401. et seq. 

Massachusetts 



Michigan 

Mich. Comp. Laws § 

445.82 

Mich. Comp. Laws § 

445.83 

Mich. Comp. Laws § 

445.84 

3/1/2005 

1/1/2006 

1/1/2006 

Prohibits any person or entity from (1) publicly posting or displaying more than 4 sequential digits of an individual's SSN; (2) 
using more than 4 sequential digits of an individual's SSN as the primary account number for an individual; (3) visibly printing 
more than 4 sequential digits of an individual's SSN on any identification badge or card, membership card, or permit or license; 
(4) requiring an individual to transmit more than 4 sequential digits of his or her SSN over the Internet unless the number is 
encrypted or the connection is secure; (5) requiring the use of more than 4 sequential digits of an individual's SSN to access an 
Internet Web site unless a password or other security device is used; and (6) (as of 1/1/2006) printing more than 4 sequential 
digits of an individual's SSN on any material to be mailed to the individual. Exceptions if requested by individual, if law 
authorizes, permits or requires it, if it is sent as part of an application or enrollment process, to establish, confirm status of, 
service, amend or terminate an account, contract, policy or employee or health insurance benefit or to confirm the accuracy of 
SSN. 

If person obtains 1 or more SSNs in ordinary course of business, must create privacy policy published in employee handbook or 
similar document that (1) ensures confidentiality of SSNs; (2) prohibits unlawful disclosure of SSNs; (3) limits who has access to 
information or documents with SSNs; (4) describes how to properly dispose of documents with SSNs; and (5) establishes 
penalties for violations. Exception for person in compliance with FCRA or GLBA. 

A person who obtains 1 or more SSNs in the ordinary course of business shall create a privacy policy that does at least all of the 
following concerning the SSNs the person possesses or obtains: (a) Ensures to the extent practicable the confidentiality of the 
SSNs; (b) Prohibits unlawful disclosure of the SSNs; (c) Limits who has access to information or documents that contain the 
SSNs; (d) Describes how to properly dispose of documents that contain the SSNs; (e) Establishes penalties for violation of the 
privacy policy. The privacy policy should be published in an employee handbook, in a procedures manual, or in 1 or more 
similar documents, which may be made available electronically. This provision does NOT apply to person possessing SSNs in 
ordinary course of business and in compliance with FCRA or Subtitle A of title V of GLBA. 
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Minnesota 

Minn. Stat. § 325E.59 
Minn. Stat. § 325E.59 

7/1/2007 

7/1/2008 

Prohibits any person or entity, except government entities, from (1) publicly posting or displaying an individual's SSN in any 
manner; (2) printing an individual's SSN on any card required to receive products or services; (3) requiring an individual to 
transmit his or her SSN over the Internet unless the number is encrypted or the connection is secure; (4) requiring the use of a 
SSN to access an Internet Web site unless a password or other security device is used; or (5) printing an individual's SSN on any 
material to be mailed to the individual, unless the inclusion of the SSN is required by law (no duty to inquire if received from 
third party unless the recipient knows that the number is or includes the individual's SSN). Exceptions if authorized by law or if 
sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to 
confirm the accuracy of SSN. 

Prohibits any person or entity, except government entities, from (1) publicly posting or displaying an individual's SSN in any 
manner; (2) printing an individual's SSN on any card required to receive products or services; (3) requiring an individual to 
transmit his or her SSN over the Internet unless the number is encrypted or the connection is secure; (4) requiring the use of a 
SSN to access an Internet Web site unless a password or other security device is used; (5) printing an individual's SSN on any 
material to be mailed to the individual, unless the inclusion of the SSN is required by law (no duty to inquire if received from 
third party unless the recipient knows that the number is or includes the individual's SSN); (6) assigning or using as the primary 
account identifier that is identical or incorporates an individual's SSN, except in conjunction with an employee or member 
retirement or benefit plan or human resource or payroll administration; or (7) selling SSNs in ordinary course of business. 
Exceptions if authorized by law or if sent as part of an application or enrollment process or to establish, amend or terminate an 
account, contract or policy or to confirm the accuracy of SSN. For purposes of paragraph clause (7), "sell" does not include the 
release of an individual's SSN if the release of the SSN is incidental to a larger transaction and is necessary to identify the 
individual in order to accomplish a legitimate business purpose. The release of a SSN for the purpose of marketing is not a 
legitimate business purpose under this paragraph. Must also restrict employees, agents, or contractors who require access to 
records containing SSNs to perform job duties. 

Mississippi 

SSSSSSi 


Missouri 

Mo. Rev. Stat. § 
407.1355 

1/1/2006 

Prohibits any person or entity, except government entities, from (1) publicly displaying or posting an individual's SSN, including 
any activity that would make the SSN available to an individual's coworkers, (2) requiring an individual to transmit his or her 
SSN over the Internet unless the number is encrypted or the connection is secure, (3) requiring the use of a SSN to access an 
Internet Web site unless a password or other security device is used, and (4) requiring an individual to use his or her SSN as an 
employee number for any type of employment-related activity. This section does not prevent the collection, use, or release of 
a SSN as required by state or federal law or the use of a SSN for internal verification or administrative purposes. 

Montana 
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Nebraska 

Neb. Rev. Stat. § 48-237 

9/1/2008 

Prohibits any employer from (1) publicly posting or publicly displaying in any manner more than the last four digits of an 
employee's SSN, including intentional communication of more than the last four digits of the SSN or otherwise making more 
than the last four digits of the SSN available to the general public or to an employee's coworkers; (2) requiring an employee to 
transmit more than the last four digits of his or her SSN over the Internet unless the connection is secure or the information is 
encrypted; (3) requiring an employee to use more than the last four digits of his or her SSN to access an Internet web site 
unless a password, unique personal identification number, or other authentication device is also required to access the 
Internet web site; or (4) requiring an employee to use more than the last four digits of his or her SSN as an employee number 
for any type of employment-related activity. Except as otherwise provided in subdivision (b) of this subsection, an employer 
shall be permitted to use more than the last four digits of an employee's SSN only for: (i) compliance with state or federal laws, 
rules, or regulations; (ii) internal administrative purposes, including provision of more than the last four digits of SSNs to third 
parties for such purposes as administration of personnel benefit provisions for the employer and employment screening and 
staffing; and (iii) commercial transactions freely and voluntarily entered into by the employee with the employer for the 
purchase of goods or services, (b) The following uses for internal administrative purposes described in subdivision (a)(ii) of this 
subsection shall not be permitted: (i) as an identification number for occupational licensing; (ii) as an identification number for 
drug-testing purposes except when required by state or federal law; (iii) as an identification number for company meetings; (iv) 
in files with unrestricted access within the company; (v) in files accessible by any temporary employee unless the temporary 
employee is bonded or insured under a blanket corporate surety bond or equivalent commercial insurance; or (vi) for posting 
any type of company information. 

Nevada 



New Hampshire 



New Jersey 

N.J. Stat. § 56:8-164 

1/1/2006 

Prohibits any person from (1) publicly posting or publicly displaying an individual's SSN, or any four or more consecutive 
numbers taken from the individual's SSN; (2) Printing an individual's SSN on any materials that are mailed to the individual, 
unless State or federal law requires the SSN to be on the document to be mailed; (3) printing an individual's SSN on any card 
required for the individual to access products or services provided by the entity; (4) intentionally communicating or otherwise 
make available to the general public an individual's SSN; (5) requiring an individual to transmit his SSN over the Internet, unless 
the connection is secure or the SSN is encrypted; or (6) requiring an individual to use his SSN to access an Internet web site, 
unless a password or unique personal identification number or other authentication device is also required to access the 
Internet web site. Nothing in this section shall prevent the collection, use or release of a SSN, as required by State or federal 
law. SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or 
enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN. A 
SSN that is permitted to be mailed under this exception may not be printed, in whole or in part, on a postcard or other mailer 
not requiring an envelope, or visible on the envelope or without the envelope having been open. 
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New Mexico 

N.M. Stat. Ann. § 57- 
12B-3 

1/1/2006 

Prohibits a business from requiring a consumer's SSN as a condition for the consumer to lease or purchase products, goods or 
services from the business. A company acquiring or using SSNs of consumers shall adopt internal policies that (1) limit access to 
the SSNs to those employees authorized to have access to that information to perform their duties; and (2) hold employees 
responsible if the SSNs are released to unauthorized persons. 

N.M. Stat. Ann. § 57- 
12B-4 

1/1/2006 

Prohibits a business from (1) making the entirety of a SSN available to the general public. This prohibition includes: 

(a) intentionally communicating a SSN to the general public; and (b) printing a SSN on a receipt issued for the purchase of 
products or services, including a receipt for the purchase of services from the state or its political subdivisions; (2) requiring the 
use of a SSN: (a) over the internet without a secure connection or encryption security; or (b) to access an internet account 
unless a password or unique personal identification number or other personal authentication device is also required to access 
the account; (3) printing a SSN on materials mailed to a consumer unless authorized or required by federal or state law; 
provided that nothing in this paragraph prohibits a business from requiring a consumer, as part of an application or enrollment 
process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN, to enter a 
SSN on material to be mailed by the consumer as long as it is not required to be entered, in whole or in part: (a) on a postcard 
or other mailer not requiring an envelope; (b) on the envelope; or (c) in any other manner in which the number may be visible 
without the envelope being opened; (4) transmitting material that associates a SSN with an account number for a bank, savings 
and loan association or credit union, unless both numbers are required as part of an application or enrollment process or to 
establish, amend or terminate an account, contract or policy or to confirm the accuracy of the social security, bank, savings and 
loan association or credit union account number; or (5) refusing to transact business because of a refusal to provide the SSN for 
use of that number in a manner prohibited by Paragraphs (1) through (4) of this subsection. The provisions of this section do 
not apply to: ... (2) the collection, use or release of a SSN by a business if the business complies with Subsection D of N.M. Stat. 
Ann. § 57-12B-3 [adoption of internal policies] and if the collection, use or release: (a) is part of an application or enrollment 
process or is used to establish, amend or terminate an account, contract or policy; (b) is required or authorized by federal or 
state law or is required for the business to comply with federal or state law; or (c) is for internal verification or administrative 
purposes; or (3) documents that are filed in court or public records or documents recorded in public records or required to be 
open to the public under federal law, state law, applicable case law, supreme court rule or the constitution of New Mexico. 

New York 

N.Y. Gen. Bus. Law § 
399-h 

12/4/2006 

A person, business, etc. cannot destroy a record containing "personal identifying information" (including SSN) unless such 
person (1) shreds the record before the disposal of the record; or (2) destroys the personal identifying information contained in 
the record; or (3) modifies the record to make the personal identifying information unreadable; or (4) takes actions consistent 
with commonly accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access 
to the personal identifying information contained in the record. 
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New York, cont. 

N.Y. Gen. Bus. Law 

1/3/2009 

No person, firm, partnership, association or corporation, not including the state or its political subdivisions, shall do any of the 
following: (a) Intentionally communicate to the general public or otherwise make available to the general public in any manner 
an individual's SSN. This paragraph shall not apply to any individual intentionally communicating to the general public or 

§ 399-dd 


otherwise making available to the general public his or her SSN. (b) Print an individual's SSN on any card or tag required for the 
individual to access products, services or benefits provided by the person, firm, partnership, association or corporation, (c) 
Require an individual to transmit his or her SSN over the internet, unless the connection is secure or the SSN is encrypted, (d) 
Require an individual to use his or her SSN to access an internet web site, unless a password or unique personal identification 
number or other authentication device is also required to access the internet website, (e) Print an SSN on any materials that 
are mailed to the individual, unless state or federal law requires the SSN to be on the document to be mailed. Notwithstanding 
this paragraph, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application 
or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the 
SSN. A SSN that is permitted to be mailed under this section may not be printed, in whole or part, on a postcard or other mailer 
not requiring an envelope, or visible on the envelope or without the envelope having been opened, (f) Encode or embed a SSN 
in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place 
of removing the SSN as required by this section. 

New York Labor Law 
§203-d 

1/3/2009 

Restricts Employers use and dissemination of Employees SSN. Specifically, the Employer cannot, unless otherwise required by 
law: (a) publicly post or display an employee's SSN; (b) Visibly print a SSN on any ID badge or card, including time card; (c) Place 
a SSN in files with unrestricted access; or (d) Communicate an employee's personal identifying information to the general 
public. 203-d also defines "Personal Identifying Information" to includes employee's SSN, homes address, phone number, 
personal e-mail address, Internet ID and password, parent's surname prior to marriage or driver's license number. It also 
prohibits the use of SSNs as an ID number for the purpose of any occupation licensing. 

North Carolina 

N.C. Gen. Stat. § 75-62 

12/1/2005 

Prohibits a business from (1) intentionally communicating or otherwise making available to the general public an individual's 
SSN; (2) intentionally printing or imbedding an individual's SSN on any card required for the individual to access products or 
services provided by the person or entity; (3) requiring an individual to transmit his or her SSN over the Internet, unless the 
connection is secure or the SSN is encrypted; (4) requiring an individual to use his or her SSN to access an Internet Web site, 
unless a password or unique personal identification number or other authentication device is also required to access the 
Internet Web site; (5) printing an individual's SSN on any materials that are mailed to the individual, unless state or federal law 
requires the SSN to be on the document to be mailed; (6) selling, leasing, loaning, trading, renting, or otherwise intentionally 
disclose an individual's SSN to a third party without written consent to the disclosure from the individual, when the party 
making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a 
legitimate purpose for obtaining the individual's SSN. A business covered by this section shall make reasonable efforts to 
cooperate, through systems testing and other means, to ensure that the requirements of this Article are implemented. This 
section shall not apply in the following instances: (1) When a DDN is included in an application or in documents related to an 
enrollment process, or to establish, amend, or terminate an account, contract, or policy; or to confirm the accuracy of the SSN 
for the purpose of obtaining a credit report pursuant to 15 U.S.C. 1681(b)(2). A SSN that is permitted to be mailed under this 
section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the 
envelope or without the envelope having been opened. (2) To the collection, use, or release of a SSN for internal verification or 
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North Carolina 

cont. 


administrative purposes. (3) To the opening of an account or the provision of or payment for a product or service authorized by 
an individual. (4) To the collection, use, or release of a SSN to investigate or prevent fraud, conduct background checks, 
conduct social or scientific research, collect a debt, obtain a credit report from or furnish data to a consumer reporting agency 
pursuant to the Fair Credit Reporting Act, 15 U.S.C. 1681, et seq., undertake a permissible purpose enumerated under Gramm 
Leach Bliley, 12 C.F.R. 216.13-15, or locate an individual who is missing, a lost relative, or due a benefit, such as a pension, 
insurance, or unclaimed property benefit. (5) To a business acting pursuant to a court order, warrant, subpoena, or when 
otherwise required by law. (6) To a business providing the SSN to a federal, state, or local government entity, including a law 
enforcement agency, court, or their agents or assigns. (7) To a SSN that has been redacted. 

North Dakota 



Ohio 



Oklahoma 

Okla. Stat. tit. 40, § 
173.1 

1/1/2005 

Prohibits employing entity from (1) publicly displaying or posting an employee's SSN; (2) printing the SSN of an employee on 
any card required for the employee to access information, products, or services; (3) requiring an employee to transmit his or 
her SSN over the Internet unless the number is encrypted or the connection is secure; (4) requiring an employee to use an SSN 
to access an Internet Web site unless a password or other security device is used; and (5) printing an employee's SSN on any 
materials mailed to the employee, unless the SSN is required by law to be in the materials. This section shall not prevent the 
collection, use, or release of a SSN as otherwise required by state or federal law or the use of a SSN for internal verification or 
administrative purposes. An employee may also provide an employing entity with written permission to use their SSN for any 
of the uses otherwise prohibited by this section. 

Oregon 

Or. Rev. Stat. § 
646A.620 

10/1/2007 

Except as otherwise specifically provided by law a person shall not: (a) Print a consumer's SSN on any materials not requested 
by the consumer or part of the documentation of a transaction or service requested by the consumer that are mailed to the 
consumer unless redacted; (b) Print a consumer's SSN on any card required for the consumer to access products or services 
provided by the person; or (c) Publicly post or publicly display a consumer's SSN unless redacted. As used in this paragraph, 
"publicly post or publicly display'' means to communicate or otherwise make available to the public. This section does not 
prevent the collection, use, or release of a SSN as required by state or federal law, including statute, Oregon Rules of Civil 
Procedure or rule adopted by the Chief Justice of the Supreme Court, the Chief Judge of the Court of Appeals orthejudge of 
the Oregon Tax Court, or the use or printing of a SSN for internal verification or administrative purposes or for enforcement of 
a judgment or court order. 
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Pennsylvania 

Pa. SB 601 

(74 Pa. Stat. Ann. § 201) 

6/29/2006 

Prohibits any business from (1) publicly posting an individual's SSN in any manner; (2) printing a individual's SSN on any card 
required for the individual to access the products or services provided by the entity; (3) requiring an individual to transmit his 
or her SSN over the internet, unless the transmission is encrypted; or requiring an individual to use the SSN to access a website 
unless a password or unique personal identification number or other authentication device is also required, and (4) printing an 
individual's SSN on any materials that are mailed to an individual, except where required by federal or state law, but in no 
event may the SSN be visible on the mailer, such as using a postcard. SSNs, however, may be included in applications and forms 
sent by mail, including documents sent (i) as part of an enrollment process, (ii) to establish, amend or terminate an account, 
contract or policy, or (iii) to confirm the accuracy of a SSN. 

Rhode Island 

R.l. Gen. Laws § 6-48-8 

1/1/2008 

Prohibits any person or entity from (1) intentionally communicating or otherwise making available to the general public an 
individual's SSN; (2) printing an individual's SSN on any card required for the individual to access products or services provided 
by the person or entity; (3) requiring an individual to transmit his or her SSN over the Internet, unless the connection is secure 
or the SSN is encrypted; (4) requiring an individual to use his or her SSN to access an Internet Website, unless a password or 
unique personal identification number or other authentication device is also required to access the Internet Website; and (5) 
printing an individual's SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be 
on the document to be mailed. Notwithstanding this paragraph, SSNs may be included in applications and forms sent by mail, 
including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, 
contract or policy, or to confirm the accuracy of the SSN. A SSN that is permitted to be mailed under this section may not be 
printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the 
envelope having been opened. The provisions of this section do not apply to documents that are recorded or required to be 
open to the public pursuant to the Rhode Island general laws chapter 42-46. This section does not apply to records that are by 
statute or case law required to be made available to the public by entities provided for in the Rhode Island Constitution. This 
section does not prevent the collection, use, or release of a SSN as required by state or federal law or the use of a SSN for 
internal verification or administrative purposes. 

South Carolina 

S.C. Code § 37-20-180 

7/1/2009 

Prohibits any person from (1) publicly posting or publicly displaying or otherwise intentionally communicating or making 
available to the general public a consumer's SSN or a portion of it containing 6 digits or more; (2) intentionally printing or 
imbedding a consumer's SSN or any portion of it containing 6 digits or more on any card required for the consumer to access 
products or services provided by the person; (3) requiring a consumer to transmit his SSN or a portion of it containing 6 digits 
or more over the Internet, unless the connection is secure or the SSN is encrypted; (4) requiring a consumer to use his SSN or a 
portion of it containing 6 digits or more to access an Internet web site, unless a password or unique personal identification 
number or other authentication device is also required to access the Internet web site; (5) printing a consumer's SSN or a 
portion of it containing 6 digits or more on materials that are mailed to the individual, unless state or federal law requires the 
SSN to be on the document to be mailed; (6) selling, leasing, loaning, trading, renting, or otherwise intentionally disclosing a 
consumer's SSN or a portion of it containing 6 digits or more to a third party without written consent to the disclosure from the 
consumer, unless the third party seeking disclosure of the SSN does so for a legitimate business or government purpose or 
unless authorized or specifically permitted by law to do so or unless the disclosure is otherwise imperative for the performance 
of the person's duties and responsibilities as prescribed by law. A legitimate business purpose of the third party includes, but is 
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South Carolina 

cont. 


not limited to, locating an individual to provide a benefit to that individual, such as a pension, insurance, or unclaimed property 
benefit, or to find an individual who is missing or a lost relative, or to serve civil process. A legitimate purpose of the third party 
does not include the bulk purchase or rental of SSNs or use in marketing. This section does not apply: (1) if a SSN is included in 
an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or 
policy, or to confirm the accuracy of the SSN for the purpose of obtaining a credit report pursuant to the federal Fair Credit 
Reporting Act. A SSN that is permitted to be mailed pursuant to this section may not be printed, in whole or in part, on a 
postcard or other mailer not requiring an envelope or may not be visible on or through the envelope; (2) to the collection, use, 
or release of a SSN for internal verification or administrative purposes; (3) to the opening of an account or the provision of or 
payment for a product or service authorized by a consumer; (4) to the collection, use, or release of a SSN to investigate or 
prevent fraud, conduct background checks, conduct social or scientific research, collect a debt, including a debt collected 
pursuant to the Setoff Debt Collection Act, Section 12-56-10, and the Governmental Enterprise Accounts Receivable Collections 
program. Section 12-4-580, or obtain a credit report from or furnish data to a consumer reporting agency, pursuant to the 
federal Fair Credit Reporting Act or to undertake a purpose permissible pursuant to the Gramm-Leach-Bliley Act or Driver's 
Privacy Protection Act; (5) to a person acting pursuant to a court order, warrant, subpoena, or other legal process; (6) to a 
person providing the SSN to a federal, state, or local government entity, including a law enforcement agency or court, or their 
agents or assigns; (7) to a financial institution as defined in the Gramm-Leach-Bliley Act; (8) to the submission and use of a SSN 
or other personal identifying information as part of the maintenance and reporting of employment records, employment 
verification, or in the course of the administration or provision of employee benefits programs, claims, and procedures related 
to employment including, but not limited to, termination from employment, retirement from employment, injuries suffered 
during the course of employment, and other such claims, benefits, and procedures; (9) to a recorded document in the official 
records of a county; or (10) to a document filed in the official records of the court. 

South Dakota 



Tennessee 

Tenn. Code Ann. 

§ 47-18-2110 

HB 618 amending Tenn. 
Code Ann. §47-18-2110 

1/1/2008 

7/1/2009 

No person or business entity may (1) post or display SSNs obtained for legitimate business purposes in public; (2) transmit such 
SSNs over the Internet unless the SSN is encrypted or the connection is secure; (3) require the use of a SSN to access an 
Internet Web site unless a password or other authentication device is used; or (4) print such SSN on materials mailed to a 
consumer unless required by law or the document is a form or application. These requirements do not apply to the disclosure 
of a federal SSN by an entity so long as such disclosure is for a legitimate business or governmental purpose and occurs 
pursuant to the terms of a business or governmental contract or other lawful legal obligation. 

New (5) prohibits a business or other entity from printing a consumer's SSN on a card, identification or badge if the consumer 
has to display or present in order to receive a benefit, good, service or other thing of value to which the consumer is entitled 
based upon the consumer's contract or other agreement with the entity issuing such card, identification or badge. 

to add (5) 
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Texas 


Requires that businesses disposing of business records containing a customer's personal identifying information must modify, 
by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable. 


Tex. Bus. & Com. Code 
Ann. 35.48 

Tex. Bus. & Com. Code 
Ann. 35.58 


9/1/2005 


9/1/2005 


Prohibits a person from printing an individual's SSN on a card or other device required to access a product or service provided 
by the person unless the individual has requested in writing such printing. A person may not require a request for such printing 
as a condition to receipt of or access to a product or service provided by the person. Does no apply to (1) the collection, use, or 
release of a SSN that is required by state or federal law, including Chapter 552, Government Code; or (2) the use of a SSN for 
internal verification or administrative purposes. 


Tex. Bus. & Com. Code 
Ann. 501.001 et seq. 


4/1/2009 


Tex. Dus. & Com. Code Ann. 501.001 , (recodified from Tex. Bus. & Com. Code Ann. 35.58, eff. 9/1/2005). Prohibits any 
person or entity, except government entities, from (1) intentionally communicating an individual's SSN to the general public; 
(2) printing an individual's SSN on any card required to access or receive products or services; (3) requiring an individual to 
transmit his or her SSN over the Internet unless the number is encrypted or the connection is secure; (4) requiring the use of a 
SSN to access an Internet Web site unless a password or other security device is used; and (5) printing an individual's SSN on 
any materials mailed to the individual, unless the SSN is required by law to be in the materials. 


Tex. Bus. & Com. Code Ann. 501.002 , eff. 4/1/2009. Prohibits a person from printing an individual's SSN on a card or other 
device required to access a product or service provided by the person unless the individual has requested in writing that 
printing. The person may not require a request for that printing as a condition of receipt of or access to a product or service 
provided by the person. Does not apply to: (1) the collection, use, or release of a SSN required by state or federal law, including 
Chapter 552, Government Code; or (2) the use of a SSN for internal verification or administrative purposes. This section applies 
to a card or other device issued in connection with an insurance policy only if the policy is delivered, issued for delivery, or 
renewed on or after March 1, 2005. 

Tex. Bus & Com. Code Ann. 501.052 , eff. 4/1/2009 1 2 3 . May not require an individual to disclose the individual's SSN to obtain 
goods or services from or enter into a business transaction with the person unless the person: (1) adopts a privacy policy as 
provided by Subsection (b); (2) makes the privacy policy available to the individual; and (3) maintains under the privacy policy 
the confidentiality and security of the SSN disclosed to the person, (b) A privacy policy adopted under this section must include: 
(1) how personal information is collected; (2) how and when the personal information is used; (3) how the personal 
information is protected; (4) who has access to the personal information; and (5) the method of disposal of the personal 
information. 


1 Note that this law does not apply to (1) a person who is required to maintain and disseminate a privacy policy under: (A) the Gramm-Leach-Bliley Act (15 U.S.C. Sections 6801 to 6809); 
(B) the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g); or (C) the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.); 

(2) a covered entity under rules adopted by the commissioner of insurance relating to insurance consumer health information privacy or insurance consumer financial information privacy; 

(3) a governmental body, as defined by Section 552.003, Government Code, other than a municipally owned utility; or (4) a person with respect to a loan transaction, if the person is not 
engaged in the business of making loans. Tex. Bus. & Com. Code Ann. 501.051. 
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Utah 

7/1/2006 


Utah Code Ann. 

Prohibits insurers from publicly posting an individual's SSN in any manner or printing an individual's SSN or place of birth on 


any card required for the individual to access products or services provided or covered by the insurer. 

§ 31A-21-110 


Utah Code Ann. 

9/1/2008 

Prohibits any person (excluding government agencies) from displaying a SSN in a manner or location that is likely to be open for 

§ 13-45-301 


public view unless otherwise permitted by law. 

Utah Code Ann. 

3/24/2009 

(1) Except as provided in Subsection (2), an employer may not request the following information before an applicant is offered 

§ 34-46-201 


a job: (a) SSN; (b) date of birth; or (c) driver license number. 

(2) An employer may request the information listed in Subsection (1) before an applicant is offered a job only if: (a) the request 
for information is applicable to any applicant applying for the position for which the applicant is applying; (b) the information is 
requested during the time in the employer's employment selection process when the employer: (i) obtains a criminal 
background check; (ii) obtains a credit history of an applicant for employment, subject to the requirements of the Fair Credit 
Reporting Act, 15 U.S.C. Sec. 1681 et seq.; (iii) obtains a driving record of a driver from the Driver License Division in accordance 
with Section 53-3-104 or 53-3-420; (iv) subject to Subsection (3), conducts a review of the internal records of the employer to 
determine whether: (A) the applicant was previously employed by the employer; or (B) the applicant previously applied for 
employment with the employer; or (v) collects the information to provide it to a government entity for the purpose of: (A) 
determining eligibility for a government service, benefit, or program that requires that the information is collected on or 
before the day on which an offer of employment is made; or (B) participating in a government service, benefit, or program that 
requires that the information is collected on or before the day on which an offer of employment is made; and (c) the applicant 
consents to the employer taking the action described in Subsection (2)(b). 

(3) If the information listed in Subsection (1) is requested under Subsection (2)(b)(iv), the employer may only request that 
information listed in Subsection (1) that is necessary to conduct the review of the employer's internal records. 
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Vermont 

Vt. Stat. Ann. Tit. 9 § 
2440 (2006) 

Vermont cont. 

1/1/2007 

Prohibits businesses from (1) intentionally communicating or otherwise make available to the general public an individual's 
SSN; (2) intentionally printing or imbedding an individual's SSN on any card required for the individual to access products or 
services provided by the person or entity; (3) requiring an individual to transmit his or her SSN over the internet unless the 
connection is secure or the SSN is encrypted; (4) requiring an individual to use his or her SSN to access an internet website, 
unless a password or unique personal identification number or other authentication device is also required to access the 
internet website; (5) printing an individual's SSN on any materials that are mailed to the individual, unless state or federal law 
requires the SSN to be on the document to be mailed; (6) selling, leasing, lending, trading, renting, or otherwise intentionally 
disclosing an individual's SSN to a third party without written consent to the disclosure from the individual, when the party 
making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a 
legitimate purpose for obtaining the individual's SSN. This section shall not apply: (1) When a SSN is included in an application 
or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy; or to 
confirm the accuracy of the SSN for the purpose of obtaining a credit report pursuant to 15 U.S.C. § 1681(b)(2). A SSN that is 
permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring 
an envelope, or visible on an envelope without the envelope having been opened. (2) To the collection, use, or release of a SSN 
reasonably necessary for administrative purposes or internal verification. (3) To the opening of an account or the provision of 
or payment for a product or service authorized by an individual. (4) To the collection, use, or release of a SSN to investigate or 
prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or 
furnish data to a consumer reporting agency pursuant to the fair credit reporting act, 15 U.S.C. § 1681, et seq.; undertake a 
permissible purpose enumerated under Gramm Leach Bliley, 12 C.F.R. § 216.13-15; or locate an individual who is missing, is a 
lost relative, or is due a benefit, such as a pension, insurance, or unclaimed property benefit. (5) To a business acting pursuant 
to a court order, warrant, subpoena, or when otherwise required by law, or in response to a facially valid discovery request 
pursuant to rules applicable to a court or administrative body that has jurisdiction over the disclosing entity. (6) To a business 
providing the SSN to a federal, state, or local government entity, including a law enforcement agency, the department of public 
safety, and a court, or their agents or assigns. (7) To a SSN that has been redacted. 
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Virginia 

Va. Code Ann. § 2.2- 
3808 (see amended law 
below) 


7/1/2003 

(until 

7/1/2010) 


Agency-issued identification cards, student identification cards, or license certificates issued or replaced on or after July 1, 
2003, shall not display an individual's entire SSN except as provided in § 46.2-703. Any agency-issued identification card, 
student identification card, or license certificate that was issued prior to July 1, 2003, and that displays an individual's entire 
SSN shall be replaced no later than July 1, 2006, except that voter registration cards issued with a SSN and not previously 
replaced shall be replaced no later than the December 31st following the completion by the state and all localities of the 
decennial redistricting following the 2010 census. This subsection shall not apply to (i) driver's licenses and special 
identification cards issued by the Department of Motor Vehicles pursuant to Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 and (ii) 
road tax registrations issued pursuant to § 46.2-703. 


HB 433 

(amending and re- 
enacting Va. Code § 
2.2-3808) 


Va. Code Ann. § 59.1- 
443.2 


7/1/2010 


7//1/2005 

& 

7/1/2008 

(as 

amended) 


A. It shall be unlawful for any agency to: (1) Require an individual to disclose or furnish his SSN not previously disclosed or 
furnished, for any purpose in connection with any activity, or to refuse any service, privilege, or right to an individual wholly or 
partly because the individual does not disclose or furnish such number, unless the disclosure or furnishing of such number is 
specifically required by state law in effect prior to January 1, 1975, or is specifically authorized or required by federal law; or (2) 
Collect from an individual his SSN or any portion thereof unless the collection of such number is (i) authorized or required by 
state or federal law and (ii) essential for the performance of that agency's duties. Nothing in this subdivision shall be construed 
to prohibit the collection of a SSN for the sole purpose of complying with the Virginia Debt Collection Act (§ 2.2-4800 et seq.) or 
the Setoff Debt Collection Act (§ 58.1-520 et seq.). 

B. Agency-issued identification cards, student identification cards, or license certificates issued or replaced on or after July 1, 
2003, shall not display an individual's entire SSN except as provided in § 46.2-703. 

C. Any agency-issued identification card, student identification card, or license certificate that was issued prior to July 1, 2003, 
and that displays an individual's entire SSN shall be replaced no later than July 1, 2006, except that voter registration cards 
issued with a SSN and not previously replaced shall be replaced no later than the December 31st following the completion by 
the state and all localities of the decennial redistricting following the 2010 census. This subsection shall not apply to (i) driver's 
licenses and special identification cards issued by the Department of Motor Vehicles pursuant to Chapter 3 (§ 46.2-300 et seq.) 
of Title 46.2 and (ii) road tax registrations issued pursuant to § 46.2-703. 

D. No agency, as defined in § 42.1-77, shall send or deliver or cause to be sent or delivered, any letter, envelope, or package 
that displays a SSN on the face of the mailing envelope or package or from which a SSN is visible. 

E. Subsections A and C shall not be applicable to licenses issued by the State Corporation Commission's Bureau of Insurance 
until a national insurance producer identification number has been created and implemented in all states[.] 

Prohibits any person or entity from (1) intentionally communicating another individual's SSN to the general public; (2) printing 
an individual's SSN on any card required to access or receive products or services; (3) requiring the use of a SSN to access an 
Internet Web site unless a password or other security device is used; and (4) mailing a package with the SSN visible from the 
outside. This section does not prohibit the collection, use, or release of a SSN as permitted by the laws of the Commonwealth 
or the United States, or the use of a SSN for internal verification or administrative purposes unless such use is prohibited by a 
state or federal statute, rule, or regulation. No person shall embed an encrypted or unencrypted SSN in or on a card or 
document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the 
SSN as required by this section, (bolded text in amendment) 
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Washington 

* 


Washington, DC 



West Virginia 

* 


Wisconsin 

Wis. Stat. §36.62 

4/19/2004 

(1) In this section, "institution of higher education" means an institution within the system or a private educational institution 
located in this state that awards a bachelor's or higher degree or provides a program that is acceptable toward such a degree. 

(2) An institution of higher education may assign to each student enrolled in the institution a unique identification number. An 
institution of higher education shall not assign to any student an identification number that is identical to or incorporates the 
student's SSN. This subsection does not prohibit an institution of higher education from requiring a student to disclose his or 
her SSN, nor from using a student's SSN if such use is required by a federal or state agency or private organization in order for 
the institution or the student to participate in a particular program. 

Wyoming 
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